The Irish Data Protection Commission (DPC), competent for cases involving the application of the GDPR for Meta, suggests the outcome of a case launched in 2020. With the end of the Privacy Shield, the agreement governing the transfer of data between the United States and the European Union, Meta is accused of being illegal in perpetuating this practice.
Meta cries out for a new Privacy Shield
DPC Deputy Commissioner Graham Doyle told TechCrunch than ” Meta has 28 days to make submissions on this preliminary decision, after which we will prepare a draft Article 60 decision for other relevant supervisors. “.
Facebook: after Stories, Reels land on the social network
Clearly, Mark Zuckerberg’s group has 28 days to assert its positions on the DPC order. Then the decision of the DPC will be transmitted to the other European CNIL interested in the subject. The latter will have one month to formulate objections, disagreements with the DPC project, this is article 60.
The contents of the preliminary decision have not been disclosed, but there is very little chance that it will suit Meta. The American company tried to have the legal proceedings annulled in Ireland in 2021, without success.
The social media giant has regularly complained about the lack of a framework for data transfer since the end of the Privacy Shield, going so far as to declare on February 3 that it could withdraw Instagram and Facebook from the mainland.
Contacted by TechCrunch to react to the DPC’s preliminary decision, Meta gave a now classic speech, ” Suspending data transfers would harm not only the millions of EU individuals, charities and businesses that use our services, but also the thousands of other businesses that rely on EU- United States to provide worldwide service “.
The ideal solution for Meta, but also Google and other European and American companies, would be to see a successor to the Privacy Shield come to fruition, quashed by the Court of Justice of the European Union in 2020. However, ongoing negotiations are proving complex. The United States does not want to abandon the Cloud Act, the text allowing the country to monitor the data present on its territory, putting itself in contradiction with the European RGPD.
While waiting for a very hypothetical agreement, the legal position of Meta, which continues to send European data to the United States, is very fragile. The risk of sanction from the DPC is very serious.
The DPC expected at the turn
For its part, the Irish CNIL is under pressure: it is regularly accused of being too soft with GAFAM, of not doing its job. Its conclusions and its speed of execution will therefore be scrutinized.
Especially since Marx Shrems, at the origin of the initial complaint against Meta, obtained from the DPC in January 2021 a rapid processing of the case. He also accused her of corruption in November 2021, still in connection with this procedure.
The long-awaited decision could indeed arrive by the end of 2022. If the European CNIL, normally consulted in April according to Graham Doyle, see no major objections to the DPC’s position, the case will be successful. Otherwise the European Data Protection Board will act as arbitrator, which should be completed before 2023. Meta should therefore be fixed this year on a potentially heavy sanction.